Parameters passed to token_replace() are not checked [#490904]

/**
 * Helper function for preg_replace_callback to generate the html for each token filter
 */
function token_filter_replacetoken($matches) {  
  global $user;
  $type  = $matches[1];
  $token = $matches[2];
  switch ($type) {
    case 'user' :
      $object = $user;
      break;
    case 'global':
    default:
      $object = NULL;
      break;
  } 
  
  // add [ ] to the token so str_replace correctly replaces token values
  // if not, a token like 'custom_text' won't be properly replaced if another token like 'custom' exists  
  $token = '['.$token.']';
    
  $output = token_replace($token, $type, $object, '[', ']');  
  return $output;
}

The function passes any value for $type, even if it's not global, or user.

The correct code should be

/**
 * Helper function for preg_replace_callback to generate the html for each token filter
 */
function token_filter_replacetoken($matches) {  
  global $user;
  
  $type  = $matches[1];
  $token = $matches[2];
  
  if ($type != 'user' && $type != 'global') {
    return '';
  }
  
  switch ($type) {
    case 'user':
      $object = $user;
      break;
    
    case 'global':
    default:
      $object = NULL;
      break;
  } 
  
  // add [ ] to the token so str_replace correctly replaces token values
  // if not, a token like 'custom_text' won't be properly replaced if another token like 'custom' exists  
  $token = '['.$token.']';
    
  $output = token_replace($token, $type, $object, '[', ']');  
  return $output;
}

Also, $token = '['.$token.']' forces the user to use [token user [uid]], when it would be preferable to use [token user [uid]].

Comments

Comment #1

apaderno

he/him

Italian

Brescia, 🇮🇹 🇪🇺

CreditAttribution: apaderno commented 13 June 2009 at 20:47

The last sentence should be read as: also, $token = '['.$token.']' forces the user to use [token user [uid]], when it would be preferable to use [token user uid].

Comment #2

apaderno

he/him

Italian

Brescia, 🇮🇹 🇪🇺

CreditAttribution: apaderno commented 13 June 2009 at 21:27

    case 'global':
    default:
      $object = NULL;
      break;

can ben simplified in

    case 'global':
      $object = NULL;
      break;

because the function would not use values for $type that are not global, or user.

Comment #3

pvhee CreditAttribution: pvhee commented 13 June 2009 at 22:10

Hm, I don't agree with the corrections:

    case 'global':
    default:
      $object = NULL;
      break;

makes sure you can use other contexts (eg custom contexts provided by a custom module) in the token filter, next to the global and user context (and that you don't want mixed in the global context).

In the latest revision, I've added the '[' and ']' around the text to replace only in the internal replace mechanism, such that eg 'custom' and 'custom_text' are not conflicting. You can still use [token user uid] in the token filter, [token user [uid]] won't work!

Comment #4

apaderno

he/him

Italian

Brescia, 🇮🇹 🇪🇺

CreditAttribution: apaderno commented 14 June 2009 at 22:29

Custom contexts provided by third-party module probably require an object that the module is not able to pass to the function. That is the reason I suggested to only handle user, and global replacement.

Comment #5

justingeeslin CreditAttribution: justingeeslin commented 16 November 2012 at 20:26

I'm creating a module which creates its own tokens in a context other than 'user' and 'global'. The suggested changes would force me to create build in a input filter for my tokens into my module.

I don't agree with the corrections either.